ESET Research discovers KryptoCibule: The multitasking multicurrency cryptostealer
Created: 2020-09-02 08:11:27
BRATISLAVA, MONTREAL – ESET researchers have discovered a previously undocumented trojan malware family that spreads through malicious torrents and that uses multiple tricks to squeeze as many cryptocoins as possible from its victims while staying under the radar. ESET named the threat KryptoCibule, and according to ESET telemetry the malware seems to primarily target users in the Czech Republic and Slovakia.
This malware is a triple threat in regard to cryptocurrencies. It uses the victim’s resources to mine coins, tries to hijack transactions by replacing wallet addresses in the clipboard and exfiltrates cryptocurrency-related files, all while deploying multiple techniques to avoid detection. KryptoCibule makes extensive use of the Tor network and the BitTorrent protocol in its communication infrastructure.
“The malware, as written, employs some legitimate software. Some, such as Tor and the Transmission torrent client, are bundled with the installer; others are downloaded at runtime, including Apache httpd and the Buru SFTP server,” says Matthieu Faou, ESET Researcher who uncovered the new malware family.
ESET has identified multiple versions of KryptoCibule, enabling us to trace its evolution all the way back to December 2018; it remains active. New capabilities have regularly been added to the malware over its lifetime, and it is under constant development.
Most of the victims were in Czech Republic and Slovakia, and this reflects the user base of the site on which the infected torrents are found. Almost all the malicious torrents were available on uloz.to, a popular file sharing site in the two countries. Additionally, KryptoCibule specifically checks for ESET, Avast and AVG endpoint security products; ESET is headquartered in Slovakia, while the other two are owned by Avast, which is headquartered in the Czech Republic.
“KryptoCibule has three components that leverage infected hosts in order to obtain cryptocurrencies: cryptomining, clipboard hijacking and file exfiltration,” explains Faou. “Presumably the malware operators were able to earn more money by stealing wallets and mining cryptocurrencies than what we found in the wallets used by the clipboard hijacking component. Alone, the revenue generated by that component does not seem enough to justify the development effort observed,” he adds.
For more technical details about KryptoCibule, read the blogpost “KryptoCibule: The multitasking multicurrency cryptostealer” on WeLiveSecurity. Make sure to follow ESET research on Twitter for the latest news from ESET Research.
components and tools
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.